No longer able to log users off via RDP

Workstations on our domain are unable to RDP into workstations currently logged in by another user.  Fast user switching is disabled and only one session can be active at a time...

When attempting to RDP into a workstation, the current user in a session is notified that someone is attempting to remote in.  If that user accepts, they are returned to the ctrl+alt+del screen, but the connecting workstation remains on the "Please wait for [domain\user] to respond..." until it times out.  The current user, returned to the CAD screen, will press CAD and see that their session has actually not ended, and is prompting them for their password to unlock the workstation.

Changing Group Policy to prompt the user for control or not to prompt yields the same results.

Uninstalling the SafeGuard client will allow this functionality to return.  Reinstalling and encrypting once again disables it.

The symptoms are the same no matter what Credential Provider we're using for the host/client; SafeGuard's, Imprivata, or standard windows "other user"

Uninstalling Imprivata does not affect.

This functionality has been available to us in the past when using V6 clients on V6 server.  We're unable to pinpoint when the issue arose, but it may have been at the installation of our V7 server

Can others verify that they are able to log off users via RDP connections if working in an environment where RDP is enabled?

And, if others confirm that this is definitely possible with SafeGuard, we're confident we have something amiss on our side; any suggestions of what to look for?

  • on W10x64 1703 and I can bump off machines without SGN as expected, but SGN to SGN it starts the log off process for the remote system then errors waiting for user profile service. Starting a new session goes right to starting the logon but errors on the same spot.

    No group policy forbidding fast user switching, but I think that policy just does what it says and Hides the Entry Points at the CAD screen anyway.

    Same failure going to an SGN workstation running W7x64 Ultimate.

    Worked as expected going from SGN to a non-SGN workstation.

    Event logs look clean and the same for all of them on both ends of the connection.

  • In reply to james63:

    Everyone else has the same loss of functionality?  Maybe I'm just not grasping a certain aspect of a potential security issue but it seems incredibly asinine that a user would not be able to log off another user using RDP.  I can't fathom a reason why this would be a "feature" of SafeGuard as it now breaks the workflow of many of our clinical staff that have shared workstations.  If a practice is closed and a user attempts to remote in from home, they won't be able to do anything until the office opens again and the user can be kicked off by physically visiting the workstation. 

    This is absolutely unacceptable; is there any other recourse available for these users other than ditching Sophos altogether?

  • In reply to Headache:

    Yes I could understand if maybe there are issues with keys if multiple users are logged on and we would be unable to reliably use fast user switching, but to not let a remote administrator log a user off? I also have VNC so at least I have a fallback so I can force the user off with that, but it's cumbersome and frustrating to have to do that way.